SSH

Abstract

Stands for Secure SHell
A Network Protocol used to enable developers to manage Server and network devices remotely with encryption

SSH Packet

Encryption in transit

The diagram at the left hand side shows all the components of a SSH packet. The diagram at the right hand side shows only Packet Length and Message Authentication Code are unencrypted when the SSH packet is transmitted over the Computer Network.

Packet Component	Purpose
Packet Length	Indicates the total length of the packet in Byte (excluding the length field itself).
Padding amount	Determines the size of padding.
Payload	The actual data being transmitted. Usually compressed with a tool like zlib - Wikipedia.
Padding	Randomly generated bytes used to obscure the true length of the payload, making it harder to analyze the traffic.
Message Authentication Code	A Hash Digest calculated using the packet contents and a shared secret key. This ensures the packet hasn’t been tampered with and originates from the correct sender. A Digital Signature if Public-key Cryptography Authentication is used.

SSH Channel

A single SSH connection can be multiplexed into multiple SSH channels simultaneously, each transferring various types of data bidirectionally

Example

Session Channel

Channel used for running commands on remote Host

Port Forwarding Channel

For Local Port Forwarding

X11 Channel

Forwarding X11 (graphical user interface) traffic, allowing remote X11 applications to be displayed on the local machine

SSH Public-key Cryptography Authentication

We can use username and password, but SSH supports Asymmetric Cryptography which is more secure

Why not just use the good old username and password?

First, password is vulnerable to brute-force attacks, you know users tend to set weak passwords :)

Second, we may have multiple users accessing the same remote server account. Using password means all users share the same password, on the other hand, with public-key, each user has his own private key to access the remote server. When we want to remove a user’s access, we just need to remove his public key from the remote server.

Setup Public-key Cryptography Authentication
Generate Public Key and Private Key using EdDSA, ED25519 (Much shorter key than RSA with the same level of encryption)
ssh-keygen -t ed25519 -C "YOUR_COMMENT" # ed25519 keys are a lot shorter than rsa keys without sacrificing security
Copy the public key(the key ends with .pub) to the remote Host (Should be stored inside ~/.ssh/authorized_keys by default)
ssh-copy-id -i /path/to/your/public_key username@remote_hostname
Disable password authentication & enable public key authentication. Modify /etc/ssh/sshd_config, uncomment and set the following attributes
PasswordAuthentication no
PubkeyAuthentication yes
Restart the SSH server on the remote host
# Linux
sudo systemctl restart sshd
 
# MacOS
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
SSH into remote host with private key!
ssh -i /path/to/your/private_key username@remote_hostname

CS Notes

Recent Updates

Java Sprintboot

Code Editor Setup

PromQL

Explorer

SSH

Abstract

SSH Packet

SSH Channel

SSH Public-key Cryptography Authentication

References

Table of Contents

Backlinks

Graph View